Eagle Virtual
Advanced

Compliance 101 for Crypto Businesses

A practical guide to blacklist monitoring, transaction screening, and risk management

15 min read Business Guide

If you operate an exchange, DeFi protocol, OTC desk, or payment processor that handles stablecoins, you need a compliance program. This guide covers the practical steps to implement blacklist monitoring, screen transactions, and build defensible risk policies.

Who needs compliance?

The short answer: any business that touches stablecoins. The regulatory landscape varies by jurisdiction, but the underlying risk is universal.

Centralized Exchanges

Highest regulatory burden. Must comply with local AML laws, often requiring full KYC, transaction monitoring, and SAR reporting.

Regulatory Risk: High

DeFi Protocols

Evolving landscape. Many jurisdictions now expect DeFi to implement some screening, especially for fiat on/off ramps.

Regulatory Risk: Medium-High

OTC Desks

High value, low volume transactions increase per-transaction risk. Counterparty due diligence is critical.

Regulatory Risk: High

Payment Processors

Processing stablecoin payments for merchants requires screening both sides of transactions.

Regulatory Risk: Medium

Even without regulation, there's liability

Many jurisdictions haven't explicitly regulated crypto, but that doesn't mean you're safe. Knowingly processing funds from blacklisted addresses can expose you to civil liability, banking partner issues, and future regulatory action.

Core requirements

Regardless of your business type, effective stablecoin compliance requires these components:

01

Real-Time Blacklist Monitoring

Know when addresses you've interacted with get blacklisted. This isn't optional— retroactive blacklisting means your clean transaction from yesterday could become a compliance issue today.

What you need:
  • API access to blacklist data across all chains you support
  • Real-time alerts when blacklist events affect your users
  • Historical lookup to check new customer addresses
02

Transaction Screening

Screen transactions before they execute. Deposits from blacklisted or high-risk addresses should be flagged, and withdrawals to such addresses should be blocked or reviewed.

What you need:
  • Pre-transaction checks for deposits and withdrawals
  • Configurable risk thresholds (block, flag, allow)
  • Queue for manual review of flagged transactions
03

Proximity Analysis

Look beyond direct blacklist matches. Addresses 1-2 hops from blacklisted funds carry elevated risk and should trigger enhanced due diligence.

What you need:
  • Graph analysis of transaction flows
  • Hop count calculation for each address
  • Risk scoring that incorporates proximity
04

Audit Trail

Document everything. When regulators or law enforcement ask how you handled a specific transaction, you need records showing what you checked, when, and what action you took.

What you need:
  • Timestamped logs of all screening decisions
  • Record of risk scores at time of transaction
  • Documentation of manual review decisions

Transaction screening framework

Here's a practical framework for implementing transaction screening:

1

Pre-Transaction Check

Before accepting a deposit or processing a withdrawal:

  • Check if address is directly blacklisted
  • Calculate proximity to blacklisted addresses
  • Check sanctions lists (OFAC, EU, UN)
2

Risk Scoring

Assign a risk score based on multiple factors:

Blacklist Status 40%
Proximity (Hops) 30%
Transaction Amount 15%
Historical Behavior 15%
3

Decision Matrix

Score 0-30 Auto-Approve Low risk, process normally
Score 31-60 Flag for Review Medium risk, manual review required
Score 61-80 Escalate High risk, senior review + documentation
Score 81-100 Block Critical risk, reject transaction
4

Post-Transaction Monitoring

After transaction completes:

  • Log all screening results and decisions
  • Set up ongoing monitoring for retroactive blacklisting
  • Update user risk profile based on transaction patterns

Building risk policies

Your screening framework needs clear policies. Here's how to think about them:

Define your risk appetite

Different businesses have different tolerances. A regulated US exchange will have stricter policies than a DeFi protocol serving non-US users.

Conservative
Permissive
Block at 2+ hops US exchanges, banks
Block at 1 hop, review at 2 Most exchanges
Block only direct blacklist Some DeFi protocols

Document exception processes

Real-world compliance isn't black and white. You need clear processes for:

False positives

What happens when a legitimate user is flagged? Document the evidence required to clear them and who has authority to approve.

Time-sensitive transactions

How do you handle urgent transactions that hit manual review? Define escalation paths and maximum review times.

Borderline cases

What about transactions that score just below your block threshold? Consider additional verification requirements.

Consistency is key: Whatever policies you choose, apply them consistently. Regulators are more concerned about inconsistent application than about where you set your thresholds. Document your policies and follow them.

Implementation checklist

Ready to implement? Here's your checklist:

Data Sources

Screening System

Policies & Documentation

Monitoring & Reporting

Key takeaways

1
Every crypto business needs compliance. Even without explicit regulation, processing blacklisted funds creates liability.
2
Screen before transactions execute. Catching issues after funds are received is much harder than preventing them.
3
Proximity matters as much as direct blacklist status. Looking only at direct matches misses significant risk.
4
Document everything. Consistent policies with clear audit trails are your best protection when regulators come calling.